Cannot make my LDAP configuration to work

Symptoms

  • I am not able to log-in on Jenkins
  • LDAP groups are not recognized by Jenkins
  • In /whoAmI LDAP groups do not appear

Diagnosis/Treatment

  • Pre-conditions:
  • When configuring ldap plugin for first time the login does not work
  • Meanwhile we are testing the Authorization is Anyone can do anything. Notice that otherwise an incorrect configuration can make you not able to log-in anymore. https://wiki.jenkins-ci.org/display/JENKINS/Disable+security

Only set-up the minimum configuration

When working for first time with LDAP plugin you should not configure any field more than the ones represented on the image below. Notice that an incorrect User filter might produce the user not be able to login.

The only options which should be filled are:
* Server
* root DN
* User search filter: Here depending on your LDAP set-up might be three different options which might work - if you don’t know how your LDAP tree is configured, then you might want to test all of them.
* cn={0}
* uid={0}
* sAMAccountName={0} [This is the option you want to use if you are configuring the LDAP plugin to work with an AD server]
* Manager DN: Some times LDAP servers allow Anonymous binding so to configure a Manager DN is not needed.
* Manager password: Some times LDAP server allow Anonymous binding so to configure a Manager Password is not needed.

ldap-min-configuration.png

After this, go to http:///whoAmI/ - once you are log-in and check that the groups are correctly retrieved.

ldap-whoami.png

Tune the Group membership filter

In order to improve the performance of the LDAP query, you should include one of the following values on the text section that appears when you select the option Search for groups containing user:
* (member={0})
* (uniqueMember={0})
* (memberUid={1})
* (memberOf={0}) [Only for Active Directory servers]

The reason for that is related to the way we are building our LDAP query. Firstly, we are using the default group membership filter. The default filter is (| (member={0}) (uniqueMember={0}) (memberUid={1})). Such a filter is a default that catches most LDAP schemas. However, it is at least three times slower that whatever is the correct filter for your LDAP schema. The correct filter for your schema will be one of (member={0}) or (uniqueMember={0}) or (memberUid={1}).

Changing to the correct filter will have a threefold increase in performance.

To check if the filter is correctly working you might want to access to http:///whoAmI/ - once you are log-in and check that the groups are correctly retrieved.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.